ReQruiting’s Legal and General Terms and Conditions

Version 2026

This Privacy Policy explains how ReQruiting handles your personal information and data. We value the trust you place in us. This Privacy Policy applies to all products, services, and web services offered by ReQruiting ApS.

---

If You Are an Applicant / Candidate for a Position

The recruitment process is managed by a primary contact from the hiring company. ReQruiting is a platform for HR data and recruitment and collects the data that you submit/upload to the owner of the recruitment process. If you have questions regarding a specific recruitment process, you must contact the primary contact directly, as ReQruiting is not responsible for the recruitment itself.

ReQruiting does not sell or share your data with third parties or marketers. ReQruiting acts solely as a data processor on behalf of the recruitment owners, who control your data.

All data is stored on servers located within the EU.

After a recruitment process has ended, ReQruiting deletes your information no later than six months after the company has marked the recruitment process as completed.

---

If You Are an Employee and Your Information Has Been Registered

The recruitment process is managed by a primary contact from the hiring company. ReQruiting is a platform for HR data and recruitment and collects the data that you submit/upload to the owner. If you have questions regarding the storage of your data, you must contact the primary contact directly.

ReQruiting does not sell or share your data with third parties or marketers. ReQruiting acts solely as a data processor of your data on behalf of the data owners.

All data is stored on servers located within the EU.

---

Information ReQruiting Collects Directly From You

Information We Collect Indirectly or Passively Through Your Interactions With Us

Usage Data

We collect usage data when you interact with our services. This may include which webpages you visit, what you click on, when you performed these actions, etc. Additionally, like most websites today, our web servers store log files that record data each time a device accesses those servers. The log files contain data about the nature of each access, including originating IP addresses, internet service providers, which files were viewed on our site (e.g., HTML pages, graphics, etc.), operating system versions, and timestamps.

Device Data

We collect data from the device and application you use to access our services, such as IP address, operating system version, device type, system and performance information, and browser type. We may also derive your geographic location from your IP address.

Referral Data

If you arrive at a ReQruiting website from an external source (such as a link on another website or in an email), we record information about the source that referred you to us.

Cookies

ReQruiting uses cookies and similar technologies on our websites. Cookies are small data files that we store on the device you use to access our services so we can recognize returning users. Each cookie expires after a certain period of time, depending on its purpose.

Google Analytics

In addition to the above, we have implemented certain Google Analytics advertising features on our websites and in other services, including retargeting.

---

Why Do We Collect Data?

In general, we use the information we collect from you to improve our services. We perform internal statistical and other analyses of the information we collect to analyze and measure user behavior and trends, to understand how ReQruiting’s services are used, and to monitor, troubleshoot, and improve our services, including helping us evaluate or develop new features. ReQruiting uses your information for internal purposes designed to keep our services secure and operational, such as troubleshooting and testing, as well as for service improvement, marketing, research, and development purposes.

We also collect and use data:

• To respond to legal requests and prevent harm

• To enforce our terms of use

• To prevent illegal activities

• To screen for and prevent unwanted or inappropriate activity

• To create new services, features, or content

• To make account creation and login processes easier

• To contact you regarding your service or account

Version 2026

Introduction

This IT Security Policy constitutes the overall framework for IT security at ReQruiting. As part of the overall IT security governance, management reassesses the IT Security Policy at least once a year based on ongoing monitoring and reporting.

---

Purpose

IT security surrounding the HR and recruitment system is of vital importance to ReQruiting’s credibility and operational reliability.

The purpose of this IT Security Policy is to define a framework for protecting customer information within the HR and recruitment system, and specifically to ensure that critical, confidential, and sensitive information maintains its confidentiality, integrity, and availability. ReQruiting’s management has therefore adopted a level of protection aligned with risk and materiality, and which also complies with applicable legal requirements and contractual obligations, including license terms.

The intention of this IT Security Policy is also to clearly communicate to everyone associated with ReQruiting that the use of information and information systems is subject to guidelines and rules. In this way, security incidents can be prevented, potential damage limited, and restoration of information ensured.

---

Scope

This IT Security Policy covers ReQruiting’s information, meaning any information belonging to ReQruiting. It also covers information that does not belong to ReQruiting but has been entered into the system by customers. This includes, for example, personnel information, financial information, all data contributing to system administration, production data, facility data, and information entrusted to ReQruiting by third parties. Such information may consist of factual data, records, registrations, reports, planning assumptions, or any other information intended for internal use only.

This IT Security Policy applies to all ReQruiting information regardless of how it is stored or transmitted. The policy applies to all employees without exception, including permanent and temporary staff. All such individuals are referred to as “users.”

---

Security Level

It is ReQruiting’s policy to protect its information. Therefore, use, access to, and disclosure of information is permitted only in accordance with ReQruiting’s guidelines and with due regard to applicable legislation at all times. Based on a risk assessment, ReQruiting adopts a security level corresponding to the significance of the information concerned. ReQruiting conducts a balanced risk assessment taking financial considerations into account. The risk assessment is conducted at least annually, enabling management to remain informed about the current risk landscape.

In cases of outsourcing, cooperation with service providers must ensure that ReQruiting’s adopted security level is maintained.

---

IT Security Awareness

IT security concerns ReQruiting’s entire information flow, and the implementation of an IT Security Policy cannot be carried out by management alone. All users have a responsibility to contribute to the protection of ReQruiting’s information against unauthorized access, alteration, destruction, and theft. Therefore, all users must receive ongoing information and training in IT security to a relevant extent. As users of ReQruiting’s information, all employees must comply with this IT Security Policy and all related and derived documents.

---

Breaches of Information Security

If a user becomes aware of threats to IT security or breaches thereof, this must be reported immediately to the appropriate authority. Users who violate the IT Security Policy or related rules will be subject to disciplinary measures in accordance with ReQruiting’s applicable policies and staff regulations.

Version 2026

Use of ReQruiting’s website and services is subject to this policy. If you violate these policies at any time, as determined solely by ReQruiting ApS, we may issue a warning or suspend or terminate your account. Please note that, in accordance with ReQruiting’s Terms of Use, we may modify this policy at any time. It is your responsibility to stay informed about and comply with this policy.

ReQruiting has a zero-tolerance policy toward spam. This means that all candidates must have agreed to receive communications from the sender, i.e., you/the Customer. Subscriber accounts that send unsolicited email messages may be terminated.

You/The Customer are responsible for ensuring that the email messages you send in connection with your use of ReQruiting do not generate spam complaints or result in bounce rates exceeding industry standards. If ReQruiting determines that your level of spam complaints or bounce rate exceeds industry standards, ReQruiting reserves the right, at its sole discretion, to suspend or terminate your use of its website and services.

---

Email Restrictions

You/The Customer may only use ReQruiting to send emails to candidates who have given you permission to contact them by email. If you do not have proof that each individual candidate on your list has opted in to receive your emails, you must not import them into ReQruiting.

Emails sent through ReQruiting must contain a valid reply-to email address that is owned or controlled by you.

You/The Customer may not use a candidate’s email address to send any commercial electronic messages to a recipient who has unsubscribed, revoked their subscription, or otherwise opted out of receiving such communications either from you or from others you may have authorized to act on your behalf.

You/The Customer may not use ReQruiting to send emails with misleading subject lines or false or deceptive headers.

---

Report Spam

If you suspect that ReQruiting has been used to send spam, please contact us immediately at info@reQruiting.com. We will investigate the matter promptly.

Version 2026

ReQruiting automatically ensures that candidates of the customer have given consent and that data is deleted in accordance with the EU General Data Protection Regulation (GDPR). This is contingent upon the customer complying with ReQruiting’s GDPR guidelines for using the system. For example, it is the responsibility of the customer/user to ensure that candidate data is deleted if such data has been downloaded and stored outside of ReQruiting’s IT system.

---

ReQruiting’s Guidelines

• When the customer downloads data from ReQruiting’s IT system, it is the customer’s responsibility to ensure that the data is stored or deleted in compliance with the EU GDPR.

• When the customer uploads data outside of the system’s instructions and functions, it is the customer’s responsibility to ensure that consent has been obtained from the individual whose data is being stored.

• Upon completion of a recruitment process, the customer must either manually delete candidate data or mark the recruitment as completed, whereby the IT system automatically deletes the candidates in accordance with their consent.

• Upon completion of an employment process, the customer must either manually delete employee data or mark the employee as “no longer employed,” whereby the IT system automatically deletes the employee in accordance with the EU GDPR.

• If the customer/user chooses to modify the standard consent settings, it is the customer’s/user’s responsibility to ensure that the changes comply with the EU GDPR.

• Specifically, if the customer extends the consent period for using ReQruiting’s talent database (Talent Pool) beyond six months, which is the IT system’s default setting, the customer must also update consent to match the new period.

• ReQruiting recommends that customers establish an internal process for handling personal data.

• In cases where the customer stores candidate data without proper consent or notification obligations, ReQruiting disclaims any responsibility or obligation to secure consent on behalf of the customer, and ReQruiting cannot be held liable for missing consent or disclosure.

Version 2026

1.0 Introduction

The operation of the website is managed by ReQruiting ApS, Nørregade 10A, 4600 Køge, Denmark. Below are the terms and conditions for using ReQruiting’s platform.

---

2.0 General Terms

Access to ReQruiting’s platform requires a company profile linked to either a free or paid subscription. A company profile must have a legally registered CVR number associated with it. The following contains the legal terms and conditions you agree to when using ReQruiting’s digital services. The agreement may be amended if changes in law or impracticalities in the agreement necessitate it.

A company profile is limited to the specific individuals listed in the company profile as the primary contact. If you act on behalf of another person, business entity, or company, you confirm that you are authorized to accept this free or paid subscription agreement. The legal entity in the subscription agreement is either you or the company specified in the profile, hereafter referred to as „the customer.“

---

2.1 Services

ReQruiting is a digital recruitment and HR service consisting of software developed by ReQruiting.

The service may include support or services offered free of charge, via subscription, or through a separate agreement.

The service is a standard service, and ReQruiting does not guarantee that it will meet the customer’s specific requirements or that using the service will lead to concrete results for the customer.

ReQruiting’s digital service supports the most common browsers in their latest versions. The service is continuously updated to support new browsers and new versions of existing browsers as they become generally available.

---

2.2 Subscription Terms, including Commencement, Termination, and Payment

The customer is informed that subscription services consist of digital services, and you therefore do not have the right to terminate a paid subscription—such as Recruit, HR & Recruit, All-in-One, Recruiter Light, or Recruiter Complete—before the end of the subscription period once you have started using the service. The exception is the free subscription, FREE, which may be canceled immediately.

Use of ReQruiting’s services is limited to the specific customers listed in the company profile as the primary contact or user, and subsequently created users. Each user receives a unique individual username and associated password. Usernames and passwords cannot be transferred to another customer/person without ReQruiting’s consent.

The paid subscription becomes effective when the customer selects the service and payment has been made, either via credit card or bank transfer to ReQruiting. If the subscription is not canceled before the end of the subscription period, it will automatically continue into a new subscription period. Payment will either be automatically charged to the customer’s credit card used for the previous payment, or the customer will receive a new invoice, thereby approving automatic payment. The subscription continues on the same terms for a new period of the same length as the previous one. For example, a monthly subscription will continue for another month unless canceled by the customer before the end of the current subscription period, after which the customer reverts to the free subscription, FREE. Cancellation of a paid subscription must occur before the end of the subscription period. This can be done by logging into the profile and canceling under account settings, or by emailing info@reqruiting.com. Upon cancellation, the customer will retain access to the service until the end of the subscription period.

The free subscription can be canceled at any time by the customer, or by ReQruiting if the customer has not logged into the company profile for at least one year. This can be done by logging into the profile and deleting the profile under settings or via email to info@reqruiting.com.

Upon termination of the service, ReQruiting deletes all personal data associated with the company or candidate profile unless EU or national law requires retention. Deletion occurs immediately.

---

2.3 Payment Terms

The platform includes a payment module for subscriptions, job postings, and other services. Payments are invoiced unless otherwise agreed.

For payment of additional services, charges are applied after the service is delivered. Unless otherwise agreed, payment terms are net 8 days after the service is marked as delivered in the platform. Late payments incur a reminder fee, currently DKK 100.

Credit card payments may include a transaction fee depending on the card used. The service price is always available on the website. The customer automatically receives an invoice.

2.3.1 Payment Terms for Job Posting Purchases

If the customer purchases a job posting through ReQruiting, ReQruiting is granted a non-exclusive, royalty-free right to reproduce and communicate the customer’s name and trademark on external job portals such as LinkedIn, Facebook, Jobindex, etc. ReQruiting is also authorized to accept the applicable terms and conditions of advertising on these external job portals on behalf of the customer.

ReQruiting reserves the right to refuse to distribute job postings that violate applicable laws, regulations, or ReQruiting’s interests.

No withdrawal rights are granted after a job posting has been published. The price is always stated on the website, and the customer automatically receives an invoice.

2.3.2 ReQruiting’s Obligations Related to Purchases

When a customer purchases services from ReQruiting’s partners, such as job postings, tests, or consultancy, ReQruiting processes data and personal information on behalf of its partners to support the customer. Partners include Jobindex, LinkedIn, Facebook, jobDanmark, among others, and can be viewed here:

https://www.reqruiting.com/samarbejdspartnere/

Data is processed in accordance with the data processing agreement.

---

2.4 Price

All prices are stated excluding VAT and other fees. ReQruiting may adjust service prices to take effect from a new subscription period. Price adjustments are limited to changes in Denmark’s net price index and may never exceed the prices listed at: https://www.reqruiting.com/priser/

Price adjustments are communicated in writing to the customer at least 30 days before the start of a new subscription period.

2.4.1 Price Structure

Unless otherwise agreed, prices follow the customer’s subscription choice. See:

• https://www.reqruiting.com/priser/ for company prices

• https://www.reqruiting.com/for-rekrutteringskonsulenter/ for recruitment consultant subscriptions

Additional purchases include:

• Extra company profile with its own CVR number + chosen subscription: -20% off extra

• Maintenance of integrations with external systems, e.g., payroll or time systems: + DKK 2,500/year

• Extraordinary support (e.g., restoration of candidates, employees, or recruitments mistakenly deleted): DKK 995 per hour started

Prices are automatically adjusted at the next payment to match customer usage.

---

2.5 Registration

The customer must provide complete and accurate information when creating a company profile as primary contact or user. ReQruiting must be notified immediately of any changes.

The customer must ensure secure and confidential storage of usernames and passwords. If a username or password is misused, or any unauthorized use of the service occurs, the customer must immediately inform ReQruiting.

If ReQruiting has reasonable cause to suspect misuse of its digital service, it will notify the customer and take necessary measures, including denying access.

---

2.6 Customer Obligations

The customer must comply with ReQruiting’s guidelines, including this subscription agreement. The customer may not attempt to access underlying databases or other system resources. The service must not be used in ways harmful to ReQruiting or third parties, including spamming.

The customer guarantees that their use complies with applicable laws, including marketing and data protection laws, and is solely responsible for candidates and third parties for any claims arising from service use.

---

2.7 Customer Intellectual Property Rights (IP)

The customer owns all rights to data, including employee or applicant data, and any related information generated through service use.

ReQruiting owns all rights to the service and its components, including name, logo, programming, databases, design, graphics, and text, except for materials originally owned by the customer.

The customer may not use the service or any ReQruiting-owned material without a written agreement, but acquires a license to use their data. The license is conditional on payment of agreed fees. Both parties indemnify the other for losses arising from third-party claims regarding information, design, specifications, software, data, or other assets.

---

2.8 Liability

Both the customer and ReQruiting are liable under Danish law. ReQruiting is not responsible for indirect data loss, e.g., due to the customer deleting data.

ReQruiting is also not liable for losses caused directly or indirectly by system errors, unless due to intentional or gross negligence. Data collected on behalf of the customer remains the customer’s property. ReQruiting keeps a six-month backup to quickly restore data in case of system failure.

---

2.9 Breach

The subscription may be terminated immediately for material breaches by either party not remedied within thirty days after written notice. Customer breaches include:

• Using the service contrary to its purpose

• Illegal copying of ReQruiting trademarks, software, or other elements

• Failing obligations under subscription terms

• Granting unauthorized third-party access

Prepaid amounts are non-refundable for customer breaches. For ReQruiting breaches, prepayments are refunded pro rata. Customers are not entitled to additional compensation. Defects must be reported promptly, no later than six months after delivery.

---

2.10 Communication

ReQruiting may send occasional business or service-related communications (billing, service changes, welcome emails). These cannot be opted out of, as they are necessary for service provision. Communication may occur before and after recruitment processes via email or phone.

---

3.0 Release of Data upon ReQruiting ApS’ Termination, Bankruptcy, or Liquidation

All information ReQruiting holds regarding employees, applicants, or the data controller is accessible via the platform unless automatically deleted per the data processing agreement.

In the event of ReQruiting’s termination, bankruptcy, or liquidation, the data is accessible via Simple Solution P/S, CVR: 39317850. By contacting Simple Solution at info@simplesolution.dk or +45 70 20 10 82 with the customer’s name, CVR number, and proof of platform use, the data controller can retrieve all information. If the data controller does not contact Simple Solution within three months of ReQruiting’s termination, data will be deleted.

Further inquiries can be directed to the data processor.

---

4.0 Force Majeure

Neither party is liable for damages if non-performance is due to force majeure, defined as strikes, lockouts, war, epidemics, natural disasters, or fire, which could not reasonably have been anticipated or avoided at the time of agreement signing.

---

5.0 Agreements on Other Matters

Both parties agree to keep confidential any business secrets, customer information, or other confidential information. Confidentiality does not apply to information already public at the time of the agreement, or if proven that the recipient already knew it.

Both parties must ensure employees and subcontractors are bound by similar confidentiality obligations.

Pursuant to Article 28(3) of Regulation (EU) 2016/679 (General Data Protection Regulation) for the processing of personal data by a processor

Between

XXX
Company Registration No.:

Hereinafter referred to as “the Data Controller”

And

ReQruiting ApS
Company Registration No.: 37418641
Nørregade 10 A, 4600 Køge, Denmark

Hereinafter referred to as “the Processor”

Each a “Party” and together the “Parties”

Have agreed to the following Standard Contractual Clauses (“Clauses”) to comply with the General Data Protection Regulation and to ensure the protection of privacy and fundamental rights and freedoms of natural persons.

---

Table of Contents

1. Preamble
2. Rights and obligations of the Data Controller
3. Processor acts on instructions
4. Confidentiality
5. Processing security
6. Use of subprocessors
7. Transfer to third countries or international organizations
8. Assistance to the Data Controller
9. Notification of personal data breaches
10. Deletion and return of data
11. Audit, including inspection
12. Parties’ agreement on other matters
13. Commencement and termination
14. Contact persons of the Data Controller and Processor

Annexes:

• Annex A: Details of the Processing
• Annex B: Subprocessors
• Annex C: Instructions regarding personal data processing
• Annex D: Parties’ regulation of other matters

---

2. Preamble

These Clauses set out the rights and obligations of the Processor when processing personal data on behalf of the Data Controller.

The Clauses are designed to ensure compliance with Article 28(3) of the European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

In connection with the provision of an electronic recruitment system, the Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.

The Clauses take precedence over any similar provisions in other agreements between the Parties.

The Clauses are accompanied by four annexes, which form an integral part of the Clauses:

• Annex A: Information about the processing, including purposes, nature, types of personal data, categories of data subjects, and duration of processing.
• Annex B: Conditions for use of subprocessors and a list of approved subprocessors.
• Annex C: Instructions for the processing, description of security measures, and monitoring of the Processor and any subprocessors.
• Annex D: Provisions concerning other activities not covered by these Clauses.

These Clauses do not exempt the Processor from obligations under GDPR or other applicable laws.

---

3. Rights and Obligations of the Data Controller

The Data Controller is responsible for ensuring that the processing of personal data complies with GDPR (Article 24), other EU or national laws, and these Clauses.

The Data Controller has the right and duty to decide the purposes and means of personal data processing and must ensure a lawful basis for the processing instructed to the Processor.

---

4. Processor Acts on Instructions

The Processor shall process personal data only on documented instructions from the Data Controller, unless required by EU or national law. Instructions are specified in Annex A and C. Any subsequent instructions must also be documented.

The Processor shall notify the Data Controller immediately if an instruction appears to conflict with GDPR or other applicable laws.

---

5. Confidentiality

The Processor shall grant access to personal data only to persons under its authority, who have committed to confidentiality or are subject to statutory confidentiality, and only to the extent necessary.

The list of persons with access must be regularly reviewed. Access must be revoked when no longer necessary.

Upon request, the Processor shall demonstrate that personnel are bound by the confidentiality obligations.

---

6. Processing Security

In accordance with Article 32 GDPR, both Parties shall implement appropriate technical and organizational measures, considering the risks to individuals’ rights and freedoms.

This may include:

• Pseudonymization and encryption of personal data
• Ensuring confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore access and availability of personal data in case of incident
• Regular testing and evaluation of security measures

The Processor shall assist the Data Controller in fulfilling its obligations under Article 32 GDPR and provide information on implemented security measures.

If additional measures are required, the Data Controller shall specify them in Annex C.

---

7. Use of Subprocessors

The Processor may only use a subprocessor with prior general written authorization from the Data Controller.

The Processor must notify the Data Controller of any intended changes to subprocessors at least three months in advance, allowing the Data Controller to object.

Subprocessor agreements must impose the same data protection obligations as in these Clauses. The Processor remains fully liable for subprocessor compliance.

---

8. Transfer to Third Countries or International Organizations

Transfers may only be made based on documented instructions from the Data Controller and in accordance with Chapter V GDPR.

Without such instructions, the Processor may not:

• Transfer personal data to a controller or processor in a third country or international organization
• Delegate processing to a subprocessor in a third country
• Process personal data in a third country

Instructions for such transfers are specified in Annex C.6.

---

9. Assistance to the Data Controller

The Processor shall assist the Data Controller in responding to data subjects’ rights (Articles 12–23 GDPR), including:

• Information duties
• Access, rectification, deletion, restriction, portability, objection, and automated decision-making

The Processor shall also assist with:

• Notification of personal data breaches to the supervisory authority and data subjects
• Data protection impact assessments

Specific technical and organizational measures for assistance are listed in Annex C.

---

10. Notification of Personal Data Breaches

The Processor shall notify the Data Controller without undue delay and, where possible, within 24 hours after becoming aware of a breach.

The Processor shall provide the information required by Article 33(3) GDPR to assist the Data Controller in reporting the breach.

---

11. Deletion and Return of Data

Upon termination of services, the Processor shall delete or return all personal data and confirm deletion, unless EU or national law requires retention.

---

12. Audit, Including Inspection

The Processor shall provide necessary information to demonstrate compliance and allow audits, including inspections, by the Data Controller or its authorized auditor.

Procedures are specified in Annex C.7–C.8.

The Processor shall grant access to supervisory authorities as required by law.

---

13. Parties’ Agreement on Other Matters

Parties may agree on additional provisions regarding the service, as long as they do not conflict with these Clauses or impair data subjects’ rights.

---

14. Commencement and Termination

These Clauses come into force on the date of signature by both Parties.

They remain valid for the duration of the service. Upon termination of services and deletion or return of personal data, the Clauses may be terminated by written notice from either Party.

---

Annex A – Details of the Processing

A.1 Purpose: Operation and support of HR and recruitment system

A.2 Nature of Processing: Operation of HR and recruitment system

A.3 Types of Personal Data: Name, email, phone, address, personal ID number, CV, documents uploaded by candidates or employees (e.g., employment contracts, appraisal notes)

A.4 Categories of Data Subjects: Employees, candidates

A.5 Duration: As long as the main service agreement between the Parties remains in effect

---

Annex B – Subprocessors

Approved Subprocessors:

• Philipp Mehrwald, VAT: ATU67742525, Innsbruck, Austria – Development and support of HR/recruitment system
• Hetzner Online GmbH, VAT: DE812871812, Gunzenhausen, Germany – Hosting

Notice period for changes: 3 months

---

Annex C – Instructions Regarding Processing

C.1 Scope: Operation and support of HR/recruitment system

C.2 Security Measures: Technical, organizational, and operational security measures described (IT policies, encryption, firewalls, backup, employee training, restricted access)

C.3 Assistance to Data Controller: As specified in Clauses 9.1 and 9.2

C.4 Retention / Deletion: Delete or return personal data upon service termination

C.5 Processing Location: Processor’s premises and approved subprocessors’ locations

C.6 Transfers to Third Countries: Only as instructed by the Data Controller; may include Standard Contractual Clauses

C.7–C.8 Audits and Inspections: Documentation, annual reports, physical audits, and risk-based assessments

---

Annex D – Other Matters

 

xxx